Data storage systems

ABSTRACT

storage adapter for use in a data storage subsystem includes a controlling processor, a volatile memory, and a nonvolatile memory “dump device.” The storage adapter also includes a battery that can be used to provide sufficient power to the storage adapter to allow data from the volatile memory to be written to the nonvolatile memory of the storage adapter under the control of the processor in the event of an interruption or failure in the main power supply to the storage adapter, i.e. to preserve data stored in the volatile memory in that event. The processor uses the current state of charge of the battery to determine the amount of data that can be “dumped” to the nonvolatile dump device using the battery in its current state. The processor then uses that determined amount of data to control the storage of data in the volatile memory.

PRIORITY CLAIM

This application claims priority of United Kingdom Patent ApplicationNo. 0320142.3, filed on Aug. 28, 2003, and entitled, “Data StorageSystems.”

BACKGROUND OF THE INVENTION

1. Technical Field

The present invention relates to data storage systems and moreparticularly to storage systems that are arranged to “dump” the contentsof a volatile memory in the event of a power failure so as to make thecontents of the volatile memory persistent across power failures.

2. Description of Related Art

Many computer systems include a so called “storage subsystem” forstoring data. Such a storage subsystem will typically comprise one ormore adapters, controllers and disks, such as, for example, a redundantarray of independent disks (a RAID system). It can often be the case insuch storage subsystems for data that is to be written to the mainnonvolatile memory, e.g. disk array, to first be stored temporarily in alocal faster, volatile cache memory before it is stored on the diskdrive. One example of this type of operation is so called “fast writecaching”, in which data to be stored is first written to a volatilememory, so that the application storing the data can then be freed toproceed with another write operation without needing to wait until thedata has been written to the disk drive (which can take a relativelylong time).

The cache memory used to temporarily store the data before it is writtento a disk drive in such systems is usually of a volatile type, sincesuch memories are usually faster and smaller than nonvolatile storagedevices. However, this then has the disadvantage that data stored in thecache memory could be lost in the event of a power failure (since thatdata has yet to be written to the nonvolatile memory, but will,typically, have been assumed to have already safely been stored innonvolatile memory by the applications using the storage subsystem (suchthat the applications will no longer continue to preserve that data)).There is therefore a need in such systems to maintain the integrity ofthe data stored in the volatile memory in the event of a power failureor interruption.

As well as for fast write caching, the need to maintain the integrity ofdata stored in a volatile memory in the event of a power failure orinterruption can also be important in, e.g. RAID functions or copyservices.

It would be possible to reduce the risk of data loss from the volatilememory in the event of a power failure or interruption by providing,e.g., a reserve battery supply for maintaining the volatile memory inthe event of a power failure. However, the Applicants have found thatthat can lead to significantly reduced performance.

It has also been suggested therefore to provide in such systems anarrangement whereby an e.g., memory controller, can dump the contents ofthe cache memory to a nonvolatile memory using an auxiliary or backuppower supply such as a battery in the event that a power failure isdetected. This preserves the data in the cache memory and allows it tobe retrieved from where it was “dumped” to once power is restored sothat it can then be properly written to the, e.g., disk drives of thestorage subsystem. U.S. Pat. No. 5,748,844 describes one such prior artsystem. An advantage of this type of system is that the battery powerrequired to dump the data to the nonvolatile memory may be less thanthat required to, e.g., maintain the volatile memory for any significantperiod of time.

Volatile memory that is protected, e.g., by the ability to dump itscontents to a nonvolatile memory, in the event of a power failure orinterruption is often referred to as “persistent” memory, since itscontents will persist (and be preserved) across power supply failures.

However, one drawback that the Applicants have recognised with “datadumping” systems, is that once a power failure has occurred and thecontents of the volatile memory dumped under battery power, there maythen be insufficient capacity remaining in the battery to carry outanother “data dump” in the event of another power failure until suchtime as the battery has been recharged. However, it could take, e.g., upto one hour for the battery to be fully charged again, during which timeuse of the volatile memory may have to be suspended if the risk of dataloss is to be avoided.

This problem could be reduced by using, e.g., a sufficiently large oroversize battery, or more than one battery, but that may not always bepracticable or desirable and such a battery or batteries could still insome circumstances become exhausted. Another approach might be to mirrorthe system so that there is a backup volatile memory and battery butagain that may not always be practicable or desirable.

The Applicants believe therefore that there remains scope forimprovements to existing memory schemes where the contents of a volatilememory are protected by a battery-powered “data dump” to a nonvolatilestorage device in the event of a power failure.

SUMMARY OF THE INVENTION

Thus, the present invention includes a storage adapter for use in a datastorage subsystem includes a controlling processor, a volatile memory,and a nonvolatile memory “dump device.” The storage adapter alsoincludes a battery that can be used to provide sufficient power to thestorage adapter to allow data from the volatile memory to be written tothe nonvolatile memory of the storage adapter under the control of theprocessor in the event of an interruption or failure in the main powersupply to the storage adapter, i.e. to preserve data stored in thevolatile memory in that event. The processor uses the current state ofcharge of the battery to determine the amount of data that can be“dumped” to the nonvolatile dump device using the battery in its currentstate. The processor then uses that determined amount of data to controlthe storage of data in the volatile memory.

The above, as well as additional purposes, features, and advantages ofthe present invention will become apparent in the following detailedwritten description.

BRIEF DESCRIPTION OF THE DRAWINGS

A number of preferred embodiments of the present invention will now bedescribed by way of example only and with reference to the accompanyingdrawings, in which:

FIG. 1 shows schematically a storage adapter that can be used inaccordance with the present invention;

FIG. 2 is a graph illustrating the operation of the storage adapter ofFIG. 1 in accordance with the present invention; and

FIG. 3 is a state diagram showing the possible states of the storageadapter shown in FIG. 1 when operating in accordance with the presentinvention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

According to a first aspect of the present invention, there is providedan apparatus for protecting data in a data storage subsystem in theevent of a power loss. The apparatus is logically positioned between ahost computer and a hard drive. The apparatus includes a volatile memorythat stores a mirror copy of data being sent from the host computer tothe hard drive. In the event of a power loss, data that was lost bysystem memory and cache memory in the host computer, and which had notyet been stored in the hard drive, is sent from the volatile memory inthe apparatus to a low-power flash memory. When the host computerregains power, then the data in the flash memory is restored in thevolatile memory in the apparatus. The volatile memory then sends thedata, either directly or through the host computer, to the hard drivefor persistent storage. In a preferred embodiment, the apparatusincludes means for determining the amount of stored power in thebattery, and means for determining the amount of data stored in thevolatile memory that can be written to the flash memory, based on theamount of stored power in the battery.

Knowing the amount of data in the volatile memory that can be protectedby the temporary power supply at any given time, facilitates, forexample, instead of, as in the prior art, having to suspend use of thevolatile memory until the temporary power supply is fully recharged ifdata integrity is to be preserved after a power supply interruption,still using the storage subsystem “normally” using the volatile memory,since the storage subsystem can, e.g., be (and preferably is) controllednot to store more data in the volatile memory than the determined amountof data that can be “protected” using the current determined capacity ofthe temporary power supply.

The present invention therefore facilitates, for example, use of thevolatile memory (at least up to the data amount that can be protected)to be resumed immediately or at least shortly after a power supplyinterruption and without the need to wait for the temporary power supplyto be fully recharged. This facilitates, e.g., the storage subsystemreturning to its normal mode of operation using the volatile memory moreswiftly than in prior art such systems.

The volatile memory of the storage subsystem of the present inventioncan be any suitable such memory. It could, as discussed above, forexample, be a cache memory, such as a write cache in a storagesubsystem. It is preferred for the volatile memory to be “highperformance”.

The nonvolatile memory can similarly be any suitable such memory. It isparticularly preferred for the nonvolatile memory to one that is compactand that can be written to with a relatively low power consumption, asthat, e.g., facilitates fitting the nonvolatile memory onto a storageadapter, and the transfer of data to the nonvolatile memory to bepowered by a relatively low power, power source, such as a (relativelysmall) battery (which can accordingly be smaller in size). It isaccordingly preferred for the nonvolatile memory to be separate from,and additional to, the “main” nonvolatile memory, e.g., disk drivearray, of the storage subsystem. In a particularly preferred embodiment,the nonvolatile memory comprises a flash memory or a “micro” disk drive.

The temporary power supply can be any suitable such power supply. Itshould be able to provide enough power to write the data from thevolatile memory to the nonvolatile memory, but does not otherwise haveto be able to power any remaining components of the overall storagesubsystem. Thus, for example, where, as discussed above, the nonvolatilememory is in the form of an additional, auxiliary memory device, thetemporary power supply would not need to (and preferably does not) powerthe main hard disk array of the storage subsystem. The temporary powersupply is preferably uninterruptible. In a particularly preferredembodiment it comprises a (rechargeable) battery.

The state of the temporary power supply that is determined should besuch that the amount of data that can be written to the nonvolatilememory with the power supply in its determined state can be determined.Thus, for example, in the case of a battery-based power supply, thecapacity or state of charge of the battery could be determined. Thiscould be done, e.g., by determining and storing in advance the chargingand discharging characteristics of the battery, the fully chargedcapacity of the battery and how long it can run the system for whenfully charged. By then measuring how long the battery charges anddischarges for when in use and using this previously determinedinformation, the current state of the battery can be determined.

The determination of the state of the temporary power supply should besuch as to provide at least a reasonable indication of the “current”state of the temporary power supply. Thus, it is preferably determinedat regular intervals, such as every minute or every few minutes, and/orin response to the occurrence of a particular event or events. Thecurrent state of charge of the temporary power supply should be recordedin nonvolatile memory so that it also survives any power supply failure.It is preferably stored in a non-volatile memory device, such as anEEPROM (Electronically Erasable Programmable Read-Only Memory), mountedon the temporary power supply, e.g. battery, itself.

The amount of data that can be written to the nonvolatile memory usingthe temporary power supply can be determined in any desired and suitablemanner. Thus, this amount could, e.g., be determined using the knowncharacteristics of the nonvolatile memory to which the data is to be“dumped” to. For a solid-state, flash nonvolatile memory there willtypically be a linear relationship between the amount of power availableand the amount of data that can be “dumped”. For a “microdrive”, a moresophisticated conversion may be necessary.

Preferably the maximum possible amount of data that could be transferredto the nonvolatile memory is determined, and the amount of data to betransferred then set to a value that is a selected, preferablypredetermined, margin less than that amount. This “safety” margin could,e.g., be based on the estimated accuracy of the determined current stateof the temporary power supply and of the determined amount of data thatcan be “dumped” using the temporary power supply in that state.

The interruption of the (non-temporary) power supply to the memorystorage system (thereby triggering a switch to data storage using thetemporary power supply) can be detected in any suitable manner known inthe art.

It will be appreciated from the above that, at least where the temporarypower supply is not in its fully charged state, the amount of data thatcan be transferred to the nonvolatile memory in the event of a powerinterruption may well be less than the amount of data that is actuallystored in the volatile memory (i.e. such that not all of the contents ofthe volatile memory can be transferred to the nonvolatile memory usingthe temporary power supply). Indeed, this would also be the case wherethe volatile memory has a data capacity that is larger than the amountof data that can be transferred to the nonvolatile memory using thetemporary power supply even when the temporary power supply is fullycharged (which may be desirable in some circumstances, such as, forexample, where a relatively large volatile memory capacity is required,but not all the data stored in the volatile memory at any given time mayneed to be preserved across power interruptions).

Thus in a particularly preferred embodiment, data stored in the volatilememory is denoted as either being data that should be “dumped” (i.e.written (copied)) to the nonvolatile memory in the event of a powerinterruption, or as data that does not need to be so dumped. This couldbe done by, e.g., the data that will be written to the nonvolatilememory (and thereby will be preserved in the event of a powerinterruption) being marked appropriately, e.g. as so-called “hardened”data (with the data that does not need to be so written then being“soft” data). This could be done, e.g., by firmware in the storagesubsystem controller. When a power interruption is detected, the datamarked as “hardened” would then be written to the nonvolatile memory.

In such an arrangement, the volatile memory will contain some data thatis “hardened”, i.e. to be preserved using the temporary power supplywhen a power failure or interruption occurs, and other data that is“soft”, i.e. that will be lost when a power failure or interruptionoccurs.

In a particularly preferred embodiment, the storage system of thepresent invention includes means for setting and controlling the amountof data that can be hardened (i.e. that can be denoted as to be writtento the nonvolatile memory using the temporary power supply in the eventof a power failure or interruption). The system then preferably operatessuch that up to the set amount of data (but no more) in the volatilememory can be “hardened”.

In a particularly preferred such embodiment, the amount of data in thevolatile memory that is permitted to be hardened is set equal to theamount of data that it is determined can be written to the nonvolatilememory using the temporary power supply as discussed above (i.e. isdetermined based on the state of the temporary power supply that will beused to write that data to the nonvolatile memory in the event of apower supply failure or interruption). This will ensure that only somuch data in the volatile memory as can at the time safely betransferred to the nonvolatile memory using the temporary power supplyis allowed to be “hardened”, (i.e. denoted as to be preserved in theevent of a (main) power supply failure or interruption).

Such an arrangement again facilitates the storage subsystem returning tonormal operation and use of the volatile memory after a power supplyinterruption before the temporary power supply, e.g. battery, is fullyrecharged, since by preventing more data than can be safely transferredto the nonvolatile memory using the temporary power supply from beingtreated as “hardened” data in the volatile memory, the possibility ofdata that clients of the storage system would assume had been preservedbeing lost in the event of another power supply interruption is reducedand even eliminated.

It is accordingly believed that this arrangement is new and advantageousin its own right, and further that its inclusion in a computer system islikewise new and advantageous.

Furthermore, the present invention includes means for denoting datastored in the volatile memory as being data that should be written tothe nonvolatile memory using power supplied by the temporary powersupply in the event of a power supply interruption, as well as means fordetermining the amount of data stored in the volatile memory that can bedenoted as being data that should be written to the nonvolatile memoryusing power supplied by the temporary power supply in the event of apower supply interruption on the basis of the determined state of thetemporary power supply.

According to another aspect of the present invention, there is provideda method of operating a data storage subsystem comprising a volatilememory, a nonvolatile memory, and a temporary power supply fortemporarily supplying power to the system in the event of a power supplyinterruption. Steps in the method include determining an amount of datathat can be stored in the volatile memory and denoted as being data thatshould be written to the nonvolatile memory using power supplied by thetemporary power supply in the event of a power supply interruption onthe basis of the state of the temporary power supply.

As will be appreciated by those skilled in the art, these arrangementsand aspects of the present invention can include any one or more or allof the preferred features of the present invention described herein.

It will be appreciated that in these arrangements, where a powerinterruption has occurred and data from the volatile memory hasaccordingly been written to the nonvolatile memory using the temporarypower supply, then the data transfer capacity of the temporary powersupply will be reduced as compared to its previous value. In that case,the amount of data in the volatile memory that the system is currentlypermitting to be hardened may exceed the current data transfer capacityof the temporary power supply.

The Applicants have recognised that in this situation, if the “hardened”data stored in the volatile memory were to be changed in any way, thenthere would be a risk that the changed “hardened” data would be lost ifanother power interruption then occurs while the stored “hardened” dataexceeds the data transfer capacity of the temporary power supply, sincethere would be insufficient power to dump all of the changes to thenonvolatile memory. (However, the original dumped hardened data is stillprotected, since a copy of it is still stored in the nonvolatilememory.)

However, once the amount of stored hardened data is less than or equalto the amount of such data that can be safely protected by the temporarypower supply, then changes to the hardened data in the volatile memorycan be safely permitted. The Applicants have further recognised thatthis state can be reached more quickly by existing users of hardeneddata “softening” their existing hardened data so as to reduce the amountof such data in the volatile memory.

It should be appreciated in this regard, that the “users” of hardeneddata in storage subsystems of the type of the present invention will bethe “components” of the storage subsystem firmware that implement thebasic data storage functions, such as fast-write caching, RAID5 APU orcopy services. For example, data storage subsystems of the type that thepresent invention is applicable to may typically contain firmware clientcomponents in the form of a number of independent software layersperforming, e.g., copy services, caching and RAID storage, each of whichmay need to use hardenable memory. Such firmware components can beviewed as client components of the storage subsystem (with thepersistent memory management components of the storage subsystemfirmware accordingly being “server components”).

It is these firmware client components of the storage subsystem thatactually harden and soften data and use hardenable data for theiroperations. This should be contrasted with external “clients” of thestorage subsystem that will make input/output requests to the storagesubsystem but will not themselves directly control or use hardened data(rather the control and use of hardened data will be decided and done bythe firmware client components of the storage subsystem as theyimplement the input/output requests of the external client applicationsof the storage subsystem, independently of the external clientapplications).

Thus, in a particularly preferred embodiment, at least after a data“dump” has occurred, the current amount of “hardened” data in thevolatile memory is compared with the determined currently permittedamount of hardened data, and where the current amount of hardened dataexceeds the permitted amount, the firmware client components of thestorage subsystem that use hardened data are instructed or controlled to“soften” their hardened data (i.e. to no longer denote it as data thatshould be written to the nonvolatile memory in the event of a powerfailure or interruption) until the amount of stored hardened data isless than or equal to the currently permitted amount of hardened data.

Most preferably, normal use of hardened data in the storage subsystem issuspended and not permitted until the amount of hardened data in thevolatile memory is less than or equal to the determined currentlypermitted amount of hardened data, at which point normal operation anduse of hardened data in the storage subsystem (albeit potentially with asmaller overall capacity for hardened data in the volatile memory) canbe (and is) resumed. Then, as the temporary power supply's capacityincreases (e.g. as the battery recharges), the amount of permittedhardened data can be increased until the maximum permitted amount isagain reached.

Preferably, the storage subsystem is placed in a “read-only” state forhardened data (i.e. such that such data can only be read from thevolatile memory, and no new hardened data can be written), until theamount of hardened data is below the determined permitted amount, atwhich point normal “read/write” operation for hardened data (and inparticular the ability to write hardened data to the volatile memory) isrestored.

This form of operation is advantageous because normal system operationcan be resumed after a short period of data “softening” (which maytypically take only a few seconds) rather than having to wait for thetemporary power supply to be fully restored, and yet there is still areduced or no risk that apparently “hardened” data will be lost.

In another embodiment of the present invention, the inventive apparatusincludes means for setting a permitted amount of data stored in thevolatile memory that can be denoted as being data that should be writtento the nonvolatile memory using power supplied by the temporary powersupply in the event of a power supply interruption on the basis of thedetermined state of the temporary power supply, means for comparing theamount of data stored in the volatile memory that is denoted as beingdata that should be written to the nonvolatile memory using powersupplied by the temporary power supply in the event of a power supplyinterruption with the set permitted amount of such data, and means for,where the amount of stored data that is denoted as being data thatshould be written to the nonvolatile memory using power supplied by thetemporary power supply in the event of a power supply interruption isfound to exceed the permitted amount of such data that has been set,instructing a firmware client component of the storage subsystem toreduce the amount of data they have denoted in the volatile memory asbeing data that should be written to the nonvolatile memory using powersupplied by the temporary power supply in the event of a power supplyinterruption.

According to another aspect of the present invention, there is provideda method of operating a data storage subsystem which comprises avolatile memory, a nonvolatile memory, and a power supply fortemporarily supplying power to the storage subsystem in the event of apower supply interruption and in which data stored in the volatilememory can be denoted as being data that should be written to thenonvolatile memory using power supplied by the temporary power supply inthe event of a power supply interruption. The method includes the stepof determining a permitted amount of data stored in the volatile memorythat can be denoted as being data that should be written to thenonvolatile memory using power supplied by the temporary power supply inthe event of a power supply interruption on the basis of a determinedstate of the temporary power supply. The amount of data stored in thevolatile memory that is denoted as being data that should be written tothe non-volatile memory is compared to a determined amount of such datathat can technically be stored, according to the amount of battery poweravailable. If the amount of stored data denoted as being data thatshould be written to the nonvolatile memory using power supplied by thetemporary power supply in the event of a power supply interruption isfound to exceed the determined permitted amount of such data, then afirmware client component of the storage subsystem is instructed toreduce the amount of data denoted in the volatile memory as being datathat should be written to the nonvolatile memory using power supplied bythe temporary power supply in the event of a power supply interruption.

If the amount of stored data that is denoted as being data that shouldbe written to the nonvolatile memory using power supplied by thetemporary power supply in the event of a power supply interruption isfound to exceed the determined permitted amount of such data, thewriting of any new data in the volatile memory that is denoted as beingdata that should be written to the nonvolatile memory is prevented,while the amount of data in the volatile memory that is denoted as beingdata that should be written to the nonvolatile memory using powersupplied by the temporary power supply in the event of a power supplyinterruption exceeds the permitted amount of such data.

These aspects and arrangements of the invention can again include anyone or more or all of the preferred and optional features of the presentinvention described herein.

The Applicants have further recognised that in situations where, forexample, the amount of volatile memory that can be “hardened” is limitedas discussed above, and particularly in circumstances where thepermitted hardened memory capacity has been reduced such that existinghardened memory must be “softened”, then there may need to be some formof selection as to which data is to be hardened and/or softened, forexample, where it would ideally be desirable for more than the permittedamount of data to be hardened, or where some existing hardened memoryhas to be softened to allow normal storage subsystem operation toresume. This situation could be exacerbated where there are, forexample, plural firmware client components of the storage subsystem thatcan use or are using the storage subsystem, each with conflictingdemands for “hardened” memory capacity. Such firmware client componentsof the storage subsystem could, e.g., be, as discussed above, software“layers” that are part of the firmware of, e.g., the storage subsystemadapter or controller.

While it would be possible simply to allocate the available amount of“hardenable” (persistent) memory (i.e. data that can be hardened) on an,e.g., first come, first served basis, or to, e.g., statically divide theentire memory pool between the storage subsystem client components, infixed proportions, the Applicants have recognised that such schemes maynot permit the most efficient use of the available hardenable memory,and/or the fastest return to normal operation where existing hardeneddata needs to be softened for that to take place.

For example, data storage subsystems of the type that the presentinvention is applicable to may typically contain, as discussed above,firmware client components in the form of a number of independentsoftware layers performing, e.g., copy services, caching and RAIDstorage, each of which may need to use hardenable memory and whichwithout access to sufficient hardenable memory (e.g. sufficienthardenable memory to process one input/output request) may becomedeadlocked. Furthermore, these software layers are usually effectivelystacked one on top of each other, with each layer effectively operatingto write to the layer or layers below (e.g. a fast write cache willcache data for and write that data to, a RAID array below it). This canmean that if the lower layers cannot process data, e.g., because they donot have access to sufficient hardenable memory, the layers above themwill also become deadlocked.

Thus the Applicants have recognised that simply allocating the availablehardenable data capacity in the volatile memory equally between thestorage subsystem's client components (e.g. software layers) or on afirst come, first served basis may not, e.g., permit the most efficientsoftening of existing hardened data.

It is accordingly preferred that the available hardened data capacity(and/or, e.g., accordingly the requirement to soften existing hardeneddata when that is necessary) is allocated dynamically to firmware clientcomponents of the storage subsystem. Most preferably the storage in thevolatile memory of hardened data is controlled based on the nature ofthe data to be stored and/or the nature of the client componentrequesting storage of the data and/or use of the hardenable datacapacity in the volatile memory.

The control of the storage of hardened data in the volatile memorypreferably relates to permitting (or not) the storage of such data. Mostpreferably, it relates to allocating given proportions or amounts ofavailable hardenable data capacity to the respective data types, clientcomponents, etc. Thus in a particularly preferred embodiment, eachfirmware client component of the storage subsystem will have its own,individual (variable) hardenable data allocation (capacity), which itwill be controlled, as discussed above, from exceeding.

In a particularly preferred such embodiment, access to the hardenablememory capacity in the volatile memory is based on priority allocationsgiven to the firmware client components of the storage subsystem. Mostpreferably, in such an embodiment, different priority levels for accessto hardened memory are allocated to, e.g., different types of dataand/or different firmware client components of the storage subsystem,and the available amount of hardenable memory is then allocated, and/orthe softening of existing hardened memory is then controlled, on thebasis of the priority allocations.

The way that firmware client components of the storage subsystem areprioritised for hardened data capacity use and allocation can beselected as desired. In a particularly preferred embodiment, firmwareclient components of the storage subsystem that require hardenablememory to ensure data integrity are preferably given a higher prioritythan client components that only require hardenable memory for increasedperformance, which client components are in turn preferably given ahigher priority than any client components for which hardenable memoryis neither required for data integrity nor permits increasedperformance.

It is particularly preferred for the access to and allocation of theavailable hardenable memory (e.g. priority allocations) to also orinstead be based on the dependencies between firmware client componentsof the storage subsystem for processing their, e.g., input/outputrequests, and/or (accordingly) when softening their hardened data. Thus,for example, if a first firmware client component of the storagesubsystem is dependent on a second client component to process its write(or read) operations (which operations may, e.g., need to be completedto allow the first client component to successfully soften its existinghardened data), the second client component is preferably allocated ahigher priority for the hardenable memory allocation, as that may then,e.g., permit the first client component to soften its hardened data morequickly. As discussed above, such a situation can typically arise whereupper software layers in a client component “stack” are dependent on theability of lower layers in the client component stack to processinput/output requests to be able themselves to soften their hardeneddata.

It is accordingly preferred for these “lower layer” client components onwhich other client components depend to be allocated a higher priorityfor hardenable memory allocation, so as to allow them to complete theirI/O requests faster and accordingly permit client component layers abovethem to soften their hardened data. Thus, preferably, the lower layersin the client component “stack” are given preferential access to theavailable hardenable memory, particularly where it is necessary tosoften existing hardened data.

Thus, in a particularly preferred embodiment, the storage in thevolatile memory of hardened data by different firmware client componentsof the storage subsystem is controlled on the basis of the dependency ofat least one of the client components on another client component orcomponents for processing its input/output requests to the storagesystem.

Most preferably, the access (or otherwise) to hardenable data capacityby a client component (and preferably by all of the client components),and/or the amount of available hardenable data capacity allocated to aclient component (and preferably to each of the client component), isbased on the relevant client component dependencies of the (or each)client component. Most preferably, the storage of hardened data in thevolatile memory is controlled based on the dependencies of more than one(and preferably of all) of the client components on another clientcomponent or components (and preferably on all of the other clientcomponents) for processing their input/output requests to the storagesubsystem.

In a particularly preferred such embodiment, the available hardenable(persistent) memory is assigned in a priority order that best enablesthe storage subsystem to soften hardened data when necessary, as thisenables the amount of hardened data to be reduced to a quantity thatmatches or is below the available hardenable memory as quickly aspossible (and accordingly the system to be returned, as discussed above,to normal operation as quickly as possible). Thus, in a particularlypreferred embodiment, the storage in the volatile memory of hardeneddata by different firmware client components of the storage subsystem iscontrolled on the basis of the ability of a or more than one of theclient components to reduce the amount of hardened data that it or theyhave stored in the volatile memory.

In a particularly preferred embodiment, the available hardenable memoryis allocated firstly to client components that need persistent memory toensure data integrity, and then once those client components' needs havebeen satisfied, to client components on which other client componentsare dependent to be able to soften their existing hardened data. Then,as the available pool of hardenable memory increases, any hardenablememory capacity not required for these client components is allocated tothe remaining client components in an order which enables increased (andpreferably best) performance of the system.

In a particularly preferred embodiment, when the permitted amount ofhardened data that can be stored in the volatile memory is at itsmaximum value (e.g. when the temporary power supply is fully charged),the available hardened data capacity is divided among the firmwareclient components of the storage subsystem firmware according to fixed,preferably predetermined, proportions, but when the amount of hardeneddata capacity is less than the maximum amount, the available hardeneddata capacity is allocated dynamically using a priority scheme, asdiscussed above.

The present invention can be used in any data storage system where it isdesired to, e.g., make the contents of a volatile memory “persistent”across power interruptions and failures, and/or in which the contents ofa volatile memory can be made persistent across power interruptions andfailures. It is therefore applicable to storage subsystems in general,and to, for example, applications such as write caching, RAID5 atomicparity update and copy services.

The apparatus of the present invention can be implemented in the storagesubsystem as desired. In a particularly preferred embodiment it is inthe form of a storage adapter for a storage subsystem, which comprises,e.g., the volatile and nonvolatile memories, the temporary power supply,and a processor for carrying out the various functions described herein.

In operation of a data storage subsystem in accordance with the presentinvention, when the main power supply is operating normally, data willbe stored in the volatile memory and then, e.g., written elsewhere, asis known in the art. In the event of a power failure, the system willswitch to its temporary power supply and contents of the volatile memorywill be written to the nonvolatile memory to preserve them. When thishas been completed, the temporary power supply will be turned off. Whenthe main system power returns, the “preserved” data from the nonvolatilememory will be read back to the volatile memory and the operations towrite it “properly” to the nonvolatile memory continued and completed.The temporary power supply will (where appropriate) also be recharged.This is basically similar to the operation of prior art data storagesubsystems.

However, in the present invention, “normal” operation of the storagesubsystem and in particular normal use of the volatile memory can be andpreferably is resumed before the temporary power supply has been fullyrecharged. For example, in accordance with the preferred embodiments ofthe invention discussed above, once a power supply interruption hasoccurred, firmware client components of the storage subsystem areinstructed to soften their existing hardened data in the volatile memoryuntil the amount of hardened data falls below the amount of hardeneddata that can be supported by the temporary power supply in its currentstate, at which point normal operation of the system can be resumed(albeit with a reduced available capacity for hardened data in thevolatile memory).

The methods in accordance with the present invention may be implementedat least partially using software e.g. computer programs. It will thusbe seen that when viewed from further aspects the present inventionprovides computer software specifically adapted to carry out the methodshereinabove described when installed on data processing means, and acomputer program element comprising computer software code portions forperforming the methods hereinabove described when the program element isrun on data processing means. The invention also extends to a computersoftware carrier comprising such software which when used to operate adata storage subsystem or an apparatus for controlling such a systemcomprising data processing means causes in conjunction with said dataprocessing means said system or apparatus to carry out the steps of themethod of the present invention. Such a computer software carrier couldbe a physical storage medium such as a ROM chip, CD ROM or disk, orcould be a signal such as an electronic signal over wires, an opticalsignal or a radio signal such as to a satellite or the like.

It will further be appreciated that not all steps of the method of theinvention need be carried out by computer software and thus from afurther broad aspect the present invention provides computer softwareand such software installed on a computer software carrier for carryingout at least one of the steps of the methods set out hereinabove.

The present invention may accordingly suitably be embodied as a computerprogram product for use with a computer system. Such an implementationmay comprise a series of computer readable instructions either fixed ona tangible medium, such as a computer readable medium, for example,diskette, CDROM, ROM, or hard disk, or transmittable to a computersystem, via a modem or other interface device, over either a tangiblemedium, including but not limited to optical or analogue communicationslines, or intangibly using wireless techniques, including but notlimited to microwave, infrared or other transmission techniques. Theseries of computer readable instructions embodies all or part of thefunctionality previously described herein.

Those skilled in the art will appreciate that such computer readableinstructions can be written in a number of programming languages for usewith many computer architectures or operating systems. Further, suchinstructions may be stored using any memory technology, present orfuture, including but not limited to, semiconductor, magnetic, oroptical, or transmitted using any communications technology, present orfuture, including but not limited to optical, infrared, or microwave. Itis contemplated that such a computer program product may be distributedas a removable medium with accompanying printed or electronicdocumentation, for example, shrink wrapped software, preloaded with acomputer system, for example, on a system ROM or fixed disk, ordistributed from a server or electronic bulletin board over a network,for example, the Internet or World Wide Web.

With reference now to the figures, and particularly to FIG. 1 showsschematically the layout of a storage adapter 1 for use in a datastorage subsystem in accordance with an embodiment of the presentinvention. The storage adapter 1 is basically operable to interfacebetween a host microprocessor system 2 and a main nonvolatile memorydisk array 3 and can, e.g., be in the form of an adapter “card”, as isknown in the art. The storage adapter 1 operates to input and outputdata from the host system 2 to the hard disk array 3.

The storage adapter 1 includes a controlling processor 4, a volatilememory 5 (which in this embodiment is in the form of an SDRAM(Synchronous Dynamic Random Access Memory), although other forms ofvolatile memory could be used, if desired), and a nonvolatile memory“dump device” 6 in the form of a flash memory, such as a compact flashdevice. (Other forms of nonvolatile memory, such as a “micro” diskdrive, could be used if desired. The basic requirement for thenonvolatile memory 6 is that it should be a compact and low power devicethat can be run using power supplied by a temporary power supply of thestorage adapter (see below)).

The storage adapter 1 also includes a battery charger 7, a bridge 8 forinterfacing between, inter alia, the processor 4, volatile memory 5,nonvolatile memory 6, and a PCI bridge and memory controller unit 9 thatinterfaces between and connects the host system 2 and the hard diskarray 3.

The storage adapter 1 includes a temporary power supply in the form of abattery 10. Other forms of temporary power supply would be possible, ifdesired. This battery power supply 10 is used, as will be discussedfurther below, to provide sufficient power to the storage adapter 1 toallow data from the volatile memory 5 to be written to the nonvolatilememory 6 of the storage adapter under the control of the processor 4 inthe event of an interruption or failure in the main power supply to thestorage adapter 1, i.e. to preserve data stored in the volatile memoryin that event. The battery 10 should accordingly have sufficientcapacity to provide power for this purpose, but it should be noted thatit is not necessary for the battery 10 to, and indeed it is preferredfor this temporary power supply not to, provide power for operating andwriting data to the disk array 3 of the storage subsystem.

In normal operation, the storage adapter 1 operates to receive input andoutput requests from the host system 2, and to accordingly store data inor retrieve data from the disk array 3 for the host system 2. The actualdata storage and retrieval is implemented as is known in the art, byfirmware “client” components of the storage adapter 1, that implementfunctions on the basic storage, such as fast-write caching RAID5 APU andcopy services in order to carry out the input and output requests fromthe host system 2. As part of this process, as is known in the art, thestorage adapter 1 firmware may temporarily store data received from thehost system 2 in the volatile memory 5, before that data is transferredto the disk array 3. As discussed above, in the event that there shouldbe a power supply failure to the storage adapter 1 and hence volatilememory 5, the data stored in the volatile memory 5 would be lost. Thiscan be disadvantageous, particularly where the storage adapter 1 is, forexample, carrying out “fast write caching”.

The storage adapter 1 accordingly includes, as discussed above, atemporary power supply in the form of a battery 10, which can be used towrite data from the volatile memory 5 to the nonvolatile memory dumpdevice 6 in the event of a main power supply failure, so as to preservethat data. To facilitate this, the storage adapter 1 includes hardwareto detect the loss of system power and then switch to the temporarypower supply of battery 10 whilst maintaining power to the necessarycomponents of the storage adapter 1.

The data in the volatile memory 5 which must survive (i.e. persist)across a main power supply interruption or failure is marked as“hardened” by the adapter firmware. Then, when a power supplyinterruption is detected, the adapter 1 switches to the temporary powersupply of battery 10, and dumps the parts of the volatile memory 5 whichhave been “hardened” to the nonvolatile dump device 6. When the data“dump” has been completed, the temporary power supply is turned off.When system power returns, the data from the dump device 6 is read backinto the volatile memory 5 and normal operation resumed. The dischargedtemporary power supply of battery 10 is then recharged using the batterycharger 7. It should be noted here that a data “dump” in thesecircumstances will typically only take two or three minutes, whereas tofully recharge the battery 10 may take of the order of one hour.

Data that is marked as “hardened” in the volatile memory 5 can also be“softened” by the adapter firmware, for example, when that data is nolonger required to persist over power outages.

The processor 4 of the storage adapter 1 also includes, in accordancewith the present invention, means for determining the quantity of datain the volatile memory 5 that can be protected by the temporary powersupply 10 at any given time, and accordingly to control the amount ofdata in the volatile memory 5 that can be stored as “hardened” data.

The processor 4 does this by first determining the state of thetemporary power supply 10. It does this using a predetermined table ofthe charging and discharging characteristics of the battery 10 and bytiming how long the battery 10 is charged or discharged for. The stateof the battery 10 is updated every few minutes, and the current state ofcharge is recorded in a nonvolatile storage device in the form of anEEPROM mounted on the battery 10 (so that this information also survivesany main power supply interruption).

The processor 4 then uses the current state of charge of the battery 10to determine the amount of hardened data that can be “dumped” to thenonvolatile dump device 6 using the temporary power supply battery 10 inits current state. The relationship between the current state of thebattery 10 and the amount of hardened data that can be dumped to thenonvolatile dump device 6 is again predetermined, using, for example,the known characteristics and power usage requirements for writing tothe nonvolatile memory dump device 6. It could be based on, e.g., theamount of time that the battery 10 can power the adapter for and theamount of data that can be written to the nonvolatile memory in thattime.

Where the nonvolatile dump device 6 is a flash memory device, as in thepresent embodiment, there will typically be a linear relationshipbetween the state of charge of the battery 10 and the amount of datathat can be dumped. More sophisticated determinations may be necessaryin the case of, e.g., micro disk drives, since in that case the writerate to the micro disk drive will not be constant and so therelationship between the state of charge and the amount of data that canbe dumped may not be linear.

As part of its calculation, the processor 4 also determines a “safety”margin, based on the known accuracy of the estimation of the time thebattery 10 can power the storage adapter 4 for, and the accuracy of theestimation of the amount of data that can be dumped in that time.

In this way, the processor 4 determines the amount of data that cansafely be stored in the volatile memory 5 as hardened data at any giventime.

The processor 4 then uses the determined amount of data that can besafely hardened in the volatile memory 5 to control the hardening ofdata in that memory. The determined permitted amount of hardened datawill be referred to herein as the “guarantee”, and the processor 4operates so as to try to maintain the amount of hardened data in thevolatile memory 5 below this guarantee. Thus, for example, sinceimmediately after a power supply failure, the quantity of hardened datain the volatile memory 5 will exceed the amount of hardened data whichcan be protected by the battery 10 (since it will have been discharged),then the processor 4 will instruct firmware client components of thestorage subsystem using hardened data in the volatile memory 5 to softentheir data until the quantity of hardened data is less than the current“guarantee”, at which point the client components are permitted to usethe smaller quantity of available hardened memory as usual. As thebattery 10 recharges, the guarantee level is raised accordingly, therebyallowing more data to be hardened.

FIG. 2 illustrates the operation of the storage adapter 1 in thismanner. FIG. 2 is a graph showing the amount of hardened data (in termsof the number of pages of persistent or hardened memory) along they-axis against time along the x-axis. The solid line in FIG. 2 is theactual number of hardened pages in the volatile memory 5 at the timeindicated. The dashed line is the number of memory pages that the systemcan guarantee to preserve, given the charge in the battery, at the timeindicated (which guarantee amount is, as discussed above, determinedbased on a conservative estimate of the charge in the battery and thedata that can be written to the dump device 6 using that charge.)

In the example shown in FIG. 2, the system starts at time zero in astate with the battery 10 fully charged. The number of memory pages thatthe system can guarantee to preserve is therefore at its maximum level,and the system is accordingly placed in a “read/write” state, wherebyfirmware client components of the subsystem can harden and soften theirdata in the volatile memory 5 as they like subject to the guaranteedlevel of hardened data not being exceeded.

At time A, a loss of system power occurs, and accordingly the storageadapter 1 operates to dump the hardened data stored in the volatilememory 5 to the nonvolatile dump device 6 using the battery 10. Once thedata dump finishes, the battery 10 is switched off at time B. Thenonvolatile memory 6 is marked as being “valid”, indicating that it nowstores a copy of data that is to be preserved and has not yet safelybeen restored.

A consequence of this data dump under battery power is that theremaining power capacity of the battery 10 is reduced, and as such thenumber of memory pages that can be protected by the battery (i.e. theguarantee) is reduced, as shown by the dashed line in FIG. 2. In thisexample, the data dump took place when there was almost the maximumamount of hardened pages in the volatile memory 5, and so the data dumpaccordingly took a significant amount of charge in the battery and sothe guarantee is considerably reduced (although other situations would,of course, be possible).

When system power returns at time C, the hardened memory pages dumped tothe dump device are copied back to the volatile memory 5 (i.e.restored). However, as shown in FIG. 2, the number of hardened pageswill then exceed the guarantee. The volatile memory 5 is accordinglyplaced in a “read only” state for hardened data, such that the storagesubsystem's firmware client components cannot harden new pages or modifythe content of the current hardened pages. However, firmware clientcomponents of the subsystem can (and indeed are instructed to) softenmemory pages to reduce their hardened pages towards the new guarantee.

The system is placed in a “read only” state in these circumstancesbecause if there is another power failure whilst the number of hardenedpages exceeds the guarantee, then the original hardened pages can stillbe restored from the dump device (since they are still stored there),and so preventing new “hardened” data being written to the volatilememory (which new data could then be lost if there was another powersupply failure, as all of the hardened data could not be dumped again(as the temporary power supply would have insufficient capacity to doso)) ensures that any data marked as hardened can still safely berestored in the event of a second power supply failure

It will be appreciated from this that another power failure in the “readonly” state results in the same data as was previously restored beingrestored to the volatile memory 5 from the dump device 6.

As shown in FIG. 2, as the battery recharges, the guarantee increases,and once the guarantee has again risen above the number of hardenedpages in the volatile memory 5, the system can return to the read/writestate for hardened data, albeit with a reduced quantity of hardenabledata, as shown at time D in FIG. 2. At this point the nonvolatile memory6 can also be marked as “invalid”, indicating that its contents nolonger need to be preserved and so can be safely written over.

It should be noted here that the “read/write” state of the volatilememory 5 is returned to after a few seconds of data softening, ratherthan the system having to wait for the battery 10 fully to recharge(which could, e.g., take an hour or more). Thus, the present inventionpermits some hardenable system memory to be available very quickly aftera discharge due to a data dump.

FIG. 2 finally illustrates the unusual situation of a complete batteryfailure at time E. In this case, the guarantee immediately drops becauseof the battery failure. Such a drop in the guarantee could also occur,if there is, e.g., a re-estimation of the battery's capacity due toaging. In this situation, because there is not already a copy of thehardened data stored on the dump device 6 (unlike in the situation wherea power supply failure has occurred), a main power failure would causedata loss (since the battery can no longer protect all the hardeneddata), and so the system is “exposed”, and client components must softentheir hardened data immediately.

FIG. 3 is a state diagram that shows schematically the various possiblestates of the storage adapter 1. Thus, for example, when the storageadapter is in the read/write state 20, it is permitted to harden andsoften memory pages so long as the number of hardened pages remainsbelow the guarantee. Should the pages be hardened such that the numberof hardened pages exceeds the guarantee, then the system enters theexposed state 21, and will remain in that state until such time assufficient pages have been softened that the number of hardened pages isless than the guarantee, in which case the system can return to theread/write state 20.

When main power is lost, the system switches to the “dumping” state 22,where hardened data is dumped from the volatile memory 5 to thenonvolatile memory 6 using the battery supply. Once a dump is complete,the system moves to the off state 23, until the main power supply isrestored, at which point the system moves to the restoring state 24,where the preserved data stored in the dump device 6 is restored to thevolatile memory 5.

Once the restore is complete and the number of hardened pages is lessthan the guarantee, then the system can return to the read/write state20. On the other hand, if once the restore is complete, the number ofhardened pages exceeds the guarantee, then the system enters theread-only state 25, and client components soften their pages until thenumber of hardened pages is less than the guarantee, at which point thesystem can return to the read/write state 20.

It will be appreciated that in the operation of the storage adapter inaccordance with the present embodiment as described above, there will betimes, for example when the system is in the “read-only” state, wherethe amount of hardened data exceeds the amount of such data that can beprotected, and that accordingly the firmware client components of thesubsystem will need to soften their hardened data to reduce the amountof hardened data down to the new, lower guarantee.

Where there is only a single user of the hardened memory, then this maynot present too much difficulty. However, where there are a number ofconflicting client components using the hardened memory, then while itwould be possible simply to allocate the reduced available amount ofhardened memory in, for example, fixed proportions between differentusers, the Applicants have, as discussed above, recognised that that maybe not always be the most desirable arrangement. A preferred embodimentfor allocating the available hardenable memory that is in accordancewith the present invention will therefore now be described.

It will be assumed for the purposes of this embodiment, that the storagesubsystem contains a number of independent software layers that are partof the storage subsystem firmware, such as copy services, caching andRAID storage, each of which may need to use hardenable memory and eachof which can be considered to be firmware “client components” of thestorage subsystem. As is known in the art, each of these software layerscan be considered to be effectively stacked one on top of each other,with each layer effectively operating to write to the layer or layersbelow. Each layer will also typically need access to sufficienthardenable memory to, e.g., process one input/output request or riskbecoming deadlocked (which can then, e.g., deadlock the layers above itas well).

To reduce the risk of such deadlocks occurring, the available hardenedmemory capacity is in this embodiment divided between these firmwareclient components of the storage subsystem as follows. Firstly, whenthere is a full quota of hardenable memory capacity (i.e. the battery 10is fully charged), then each client component of the subsystem isallocated a predetermined static quota of hardenable memory capacity forits use. However, when the available amount of hardenable memorycapacity is restricted (i.e. less than the maximum value), then thevarious client components have their requirements satisfied in apredetermined priority order.

The priority order basically is arranged so as firstly to provide clientcomponents who require hardenable memory to ensure data integrity withtheir hardenable memory capacity requirement first. Once those clientcomponents have their hardened memory capacity requirements satisfied,then those client components that require hardenable memory forincreased performance are allocated any “spare” hardenable memory in anorder which enables the best performance.

The priority order for the allocation of available hardenable memory isalso based on the dependencies between client components when softeningtheir hardenable memory. Thus, for example, where firmware clientcomponents of the storage subsystem are dependent upon the ability ofother client components to process their input/output requests beforethey themselves can process their input/output requests, the availablehardenable memory is first allocated to those client components who ifgiven access to that hardenable memory will then allow other clientcomponents to soften their own hardenable memory, as this acceleratesthe overall softening of the “excess” hardenable memory. Thus, forexample, if client component X is dependent on client component Y tosuccessfully soften its persistent memory, then client component Y isgiven the higher priority for the available hardenable memory.

Thus in this embodiment, the lower layers in the “client” componentstack are given preferential access to the hardenable memory, so as toreduce the risk of a deadlock situation where the bottom layer in thestack does not have the ability to process writes because it cannotmodify hardenable memory (because its quantity of hardened memoryexceeds its guarantee) whilst the upper layers do have some or all ofthe limited hardenable memory guarantee, but still cannot performinput/output operations because they need the lower layers to processtheir input/output operations first.

Thus, considering the above examples of firmware client components ofthe data storage subsystem of cache, flash copy and RAID5 APU, of theseclient components, RAID5 APU requires at least some hardenable memorybefore it can operate, flash copy will perform slowly without hardenablememory, and cache does not require hardenable memory. Thus, these clientcomponents are in the present embodiment placed in the followingpriority order for hardenable memory (with the highest priority first):RAID5 APU, flash copy and cache.

Thus, in this embodiment, when all the client components that requirehardenable memory to ensure data integrity have had their requirementssatisfied, the dependent client components can then start using them tohelp soften their hardenable memory, and as the hardenable memory poolincreases, any remaining dependent client components who requirehardenable memory for increased performance can be allocated increasingquantities of hardenable memory in an order which enables the bestperformance.

The effect of this is that the available hardenable memory pool isassigned in a priority order which best enables the users of thehardenable memory to soften the hardenable memory more quickly, andaccordingly reduce the overall quantity of hardened memory more quicklytowards the available guaranteed amount of hardened memory that thesystem can support. This facilitates, for example, the system returningto a “read/write state” for hardened data from a “read-only” state asquickly as possible, by allocating the available hardened memory on anappropriate priority basis.

The present invention has application wherever persistent (hardenable)memory may be required, such as in most storage subsystems and inapplications such as write caching, RAID5 atomic parity updating andcopy services.

As can be seen from the above, the present invention addresses theproblem of the temporary power supply not always being fully charged(e.g. immediately after a data dump), by using a variable quota for theamount of hardenable memory that is available to a software module thatrequires such memory. The present invention also avoids the need to waituntil the temporary power supply of the storage adapter is fullyrecharged after a data dump before use of hardened memory can be begunagain, but instead permits some hardenable memory to be available muchmore quickly after a data dump.

Furthermore, the present invention, in its preferred embodiments atleast, essentially eliminates the possibility of loss of hardenedcustomer data that may be stored in the volatile memory. This isachieved by operating the storage adapter such that even in the event ofmultiple power losses, the hardened data is always either in thevolatile memory and protected by sufficient temporary power supplycapacity, or on the nonvolatile dump device.

It should be understood that at least some aspects of the presentinvention may alternatively be implemented in a program product,preferably performing the functions of the present invention in anautomatic manner based on pre-determined criteria as described,including relative logical relationships between and among logic areas.Programs defining functions on the present invention can be delivered toa data storage system or a computer system via a variety ofsignal-bearing media, which include, without limitation, non-writablestorage media (e.g., CD-ROM), writable storage media (e.g., a floppydiskette, hard disk drive, read/write CD ROM, optical media), andcommunication media, such as computer and telephone networks includingEthernet. It should be understood, therefore in such signal-bearingmedia when carrying or encoding computer readable instructions thatdirect method functions in the present invention, represent alternativeembodiments of the present invention. Further, it is understood that thepresent invention may be implemented by a system having means in theform of hardware, software, or a combination of software and hardware asdescribed herein or their equivalent.

While the invention has been particularly shown and described withreference to a preferred embodiment, it will be understood by thoseskilled in the art that various changes in form and detail may be madetherein without departing from the spirit and scope of the invention.

1. An apparatus for use in a data storage subsystem comprising: avolatile memory; a nonvolatile memory; a temporary power supply forsupplying temporary power to the apparatus after interruption of a mainpower supply to the apparatus; means for detecting an interruption inthe power supply to the volatile memory; means for, in the event of suchdetection, writing data stored in the volatile memory to the nonvolatilememory using power supplied by the temporary power supply; means fordetermining the state of the temporary power supply; and means fordetermining the amount of data stored in the volatile memory that can bewritten to the nonvolatile memory using power supplied by the temporarypower supply on the basis of the determined state of the temporary powersupply.
 2. The apparatus of claim 1, wherein the nonvolatile memory is aflash memory.
 3. The apparatus of claim 1, wherein the nonvolatilememory is a micro disk drive.
 4. The apparatus of claim 1, wherein thetemporary power supply is a rechargeable battery.
 5. The apparatus ofclaim 1, further comprising: means for denoting data stored in thevolatile memory as being data that should be written to the nonvolatilememory using power supplied by the temporary power supply in the eventof a power interruption.
 6. The apparatus of claim 1, further comprisingmeans for setting a permitted amount of data that can be stored in thevolatile memory based on a real-time power capacity level of thetemporary power supply.
 7. An apparatus for a data storage subsystemcomprising: a volatile memory; a nonvolatile memory; a temporary powersupply for temporarily supplying power to the apparatus in the event ofa main power supply interruption; means for determining the state of thetemporary power supply; means for denoting data stored in the volatilememory as being data that should be written to the nonvolatile memoryusing power supplied by the temporary power supply in the event of themain power supply interruption; and means for determining a permittedamount of data that can be stored in the volatile memory and that can bedenoted as being data that should be written to the nonvolatile memoryusing power supplied by the temporary power supply in the event of apower supply interruption on the basis of the determined state of thetemporary power supply.
 8. The apparatus of claim 7, further comprising:means for comparing the amount of data stored in the volatile memorythat is denoted as being data that should be written to the nonvolatilememory using power supplied by the temporary power supply in the eventof a power supply interruption with the set permitted amount of suchdata.
 9. The apparatus of claim 8, further comprising: means for, wherethe amount of stored data that is denoted as being data that should bewritten to the nonvolatile memory using power supplied by the temporarypower supply in the event of a power supply interruption is found toexceed the permitted amount of such data that has been set, instructinga firmware client component of the storage subsystem to reduce theamount of data it has denoted in the volatile memory as being data thatshould be written to the nonvolatile memory using power supplied by thetemporary power supply in the event of a power supply interruption. 10.An apparatus for a data storage subsystem, the apparatus comprising: avolatile memory; a nonvolatile memory; a temporary power supply fortemporarily supplying power to the apparatus in the event of a mainpower supply interruption; means for determining the state of thetemporary power supply; means for denoting data stored in the volatilememory as being data that should be written to the nonvolatile memoryusing power supplied by the temporary power supply in the event of themain power supply interruption; means for setting a permitted amount ofdata stored in the volatile memory that can be denoted as being datathat should be written to the nonvolatile memory using power supplied bythe temporary power supply in the event of a power supply interruptionon the basis of the determined state of the temporary power supply;means for comparing the amount of data stored in the volatile memorythat is denoted as being data that should be written to the nonvolatilememory using power supplied by the temporary power supply in the eventof a power supply interruption with the set permitted amount of suchdata; and means for, where the amount of stored data that is denoted asbeing data that should be written to the nonvolatile memory using powersupplied by the temporary power supply in the event of a power supplyinterruption is found to exceed the permitted amount of such data thathas been set, instructing a firmware client component of the storagesubsystem to reduce the amount of data it has denoted in the volatilememory as being data that should be written to the nonvolatile memoryusing power supplied by the temporary power supply in the event of apower supply interruption.
 11. The apparatus of claim 10, furthercomprising: means for, where the amount of stored data that is denotedas being data that should be written to the nonvolatile memory usingpower supplied by the temporary power supply in the event of a powersupply interruption is found to exceed the permitted amount of such datathat has been set, preventing the writing of any new data stored in thevolatile memory that is denoted as being data that should be written tothe nonvolatile memory using power supplied by the temporary powersupply in the event of a power supply interruption, while the amount ofdata stored in the volatile memory that is denoted as being data thatshould be written to the nonvolatile memory using power supplied by thetemporary power supply in the event of a power supply interruptionexceeds the set permitted amount of such data.
 12. An apparatus for adata storage subsystem comprising: a volatile memory; a nonvolatilememory; a power supply for temporarily supplying power to the apparatusin the event of a main power supply interruption; means for determiningthe state of the temporary power supply; means for denoting data storedin the volatile memory as being data that should be written to thenonvolatile memory using power supplied by the temporary power supply inthe event of the main power supply interruption; means for setting apermitted amount of data stored in the volatile memory that can bedenoted as being data that should be written to the nonvolatile memoryusing power supplied by the temporary power supply in the event of apower supply interruption on the basis of the determined state of thetemporary power supply; means for comparing the amount of data stored inthe volatile memory that is denoted as being data that should be writtento the nonvolatile memory using power supplied by the temporary powersupply in the event of a power supply interruption with the setpermitted amount of such data; and means for, where the amount of storeddata that is denoted as being data that should be written to thenonvolatile memory using power supplied by the temporary power supply inthe event of a power supply interruption is found to exceed thepermitted amount of such data that has been set, preventing the writingof any new data stored in the volatile memory that is denoted as beingdata that should be written to the nonvolatile memory using powersupplied by the temporary power supply in the event of a power supplyinterruption, while the amount of data stored in the volatile memorythat is denoted as being data that should be written to the nonvolatilememory using power supplied by the temporary power supply in the eventof a power supply interruption exceeds the set permitted amount of suchdata.
 13. The apparatus of claim 12, further comprising: means forcontrolling the storage in the volatile memory of data that is denotedas being data that should be written to the nonvolatile memory usingpower supplied by the temporary power supply in the event of a powersupply interruption on the basis of the nature of the data being storedand/or the nature of the client component requesting storage of the datain the volatile memory.
 14. The apparatus of claim 13, furthercomprising: means for allocating memory capacity for data that isdenoted as being data that should be written to the nonvolatile memoryusing power supplied by the temporary power supply in the event of apower supply interruption on the basis of the nature of the data beingstored and/or the nature of the client component requesting storage ofthe data in the volatile memory.
 15. The apparatus of claim 14, whereinaccess to memory capacity for data that is denoted as being data thatshould be written to the nonvolatile memory using power supplied by thetemporary power supply in the event of a power supply interruption isgiven preferentially to firmware client components of the storagesubsystem that require such data storage to ensure data integrity. 16.The apparatus of claim 15, comprising: means for controlling the storagein the volatile memory of data that is denoted as being data that shouldbe written to a nonvolatile memory using power supplied by the temporarypower supply in the event of an interruption in the power supply to thevolatile memory by different firmware client components of the storagesubsystem on the basis of the dependency of at least one of the clientcomponents on another client component or components for processing itsinput/output requests to the storage subsystem.
 17. The apparatus ofclaim 16, comprising: means for controlling the storage in the volatilememory of data that is denoted as being data that should be written to anonvolatile memory using power supplied by the temporary power supply inthe event of an interruption in the power supply to the volatile memoryby different firmware client components of the storage subsystem on thebasis of the ability of a or more than one of the client components toreduce the amount of data that it or they have stored in the volatilememory that is denoted as being data that should be written to anonvolatile memory using power supplied by the temporary power supply inthe event of an interruption in the power supply to the volatile memory.18. A method of operating a data storage subsystem comprising a volatilememory, a nonvolatile memory, and a temporary power supply for supplyingtemporary power to the storage subsystem after the interruption of thepower supply to the subsystem, in which in the event of the detection ofan interruption of the power supply to the volatile memory, data fromthe volatile memory is written to the nonvolatile memory using powersupplied from the temporary power supply, the method comprising:determining the state of the temporary power supply; and determining theamount of data stored in the volatile memory that can be written to thenonvolatile memory using power supplied by the temporary power supply onthe basis of the determined state of the temporary power supply.
 19. Themethod of claim 18, further comprising: determining a permitted amountof data that can be stored in the volatile memory and denoted as beingdata that should be written to the nonvolatile memory using powersupplied by the temporary power supply in the event of a power supplyinterruption on the basis of the state of the temporary power supply.20. The method of claim 19, further comprising: comparing the amount ofdata stored in the volatile memory that is denoted as being data thatshould be written to the nonvolatile memory using power supplied by thetemporary power supply in the event of a power supply interruption withthe determined permitted amount of such data.
 21. The method of claim20, further comprising: where the amount of stored data denoted as beingdata that should be written to the nonvolatile memory using powersupplied by the temporary power supply in the event of a power supplyinterruption is found to exceed the determined permitted amount of suchdata, instructing a firmware client component of the storage subsystemto reduce the amount of data it has denoted in the volatile memory asbeing data that should be written to the nonvolatile memory using powersupplied by the temporary power supply in the event of a power supplyinterruption.
 22. The method of claim 21, further comprising: where theamount of stored data that is denoted as being data that should bewritten to the nonvolatile memory using power supplied by the temporarypower supply in the event of a power supply interruption is found toexceed the determined permitted amount of such data, preventing thewriting of any new data in the volatile memory that is denoted as beingdata that should be written to the nonvolatile memory using powersupplied by the temporary power supply in the event of a power supplyinterruption, while the amount of data in the volatile memory that isdenoted as being data that should be written to the nonvolatile memoryusing power supplied by the temporary power supply in the event of apower supply interruption exceeds the permitted amount of such data. 23.The method of claim 22, further comprising: controlling the storage inthe volatile memory of data that is denoted as being data that should bewritten to the nonvolatile memory using power supplied by the temporarypower supply in the event of a power supply interruption on the basis ofthe nature of the data being stored and/or the nature of the clientcomponent requesting storage of the data in the volatile memory.
 24. Themethod of claim 23, further comprising: allocating memory capacity fordata that is denoted as being data that should be written to thenonvolatile memory using power supplied by the temporary power supply inthe event of a power supply interruption on the basis of the nature ofthe data being stored and/or the nature of the client componentrequesting storage of the data in the volatile memory.
 25. The method ofclaim 24, further comprising: giving access to memory capacity for datathat is denoted as being data that should be written to the nonvolatilememory using power supplied by the temporary power supply in the eventof a power supply interruption preferentially to firmware clientcomponents of the storage subsystem that require such data storage toensure data integrity.
 26. The method of claim 25, further comprising:controlling the storage in the volatile memory of data that is denotedas being data that should be written to a nonvolatile memory using powersupplied by the temporary power supply in the event of an interruptionin the power supply to the volatile memory by different firmware clientcomponents of the storage subsystem on the basis of the dependency of atleast one of the client components on another client component orcomponents for processing its input/output requests to the storagesubsystem.
 27. The method of claim 26, further comprising: controllingthe storage in the volatile memory of data that is denoted as being datathat should be written to a nonvolatile memory using power supplied bythe temporary power supply in the event of an interruption in the powersupply to the volatile memory by different firmware client components ofthe storage subsystem on the basis of the ability of a or more than oneof the client components to reduce the amount of data that it or theyhave stored in the volatile memory that is denoted as being data thatshould be written to a nonvolatile memory using power supplied by thetemporary power supply in the event of an interruption in the powersupply to the volatile memory.
 28. A computer program product, residingon a computer usable medium, for use with operating a data storagesubsystem comprising a volatile memory, a nonvolatile memory, and atemporary power supply for supplying temporary power to the storagesubsystem after the interruption of the power supply to the subsystem,in which in the event of the detection of an interruption of the powersupply to the volatile memory, data from the volatile memory is writtento the nonvolatile memory using power supplied from the temporary powersupply, the computer program product comprising: program code fordetermining the state of the temporary power supply; and program codefor determining the amount of data stored in the volatile memory thatcan be written to the nonvolatile memory using power supplied by thetemporary power supply on the basis of the determined state of thetemporary power supply.
 29. The computer program product of claim 28,further comprising: program code for determining a permitted amount ofdata that can be stored in the volatile memory and denoted as being datathat should be written to the nonvolatile memory using power supplied bythe temporary power supply in the event of a power supply interruptionon the basis of the state of the temporary power supply.
 30. Thecomputer program product of claim 29, further comprising: program codefor comparing the amount of data stored in the volatile memory that isdenoted as being data that should be written to the nonvolatile memoryusing power supplied by the temporary power supply in the event of apower supply interruption with the determined permitted amount of suchdata.
 31. The computer program product of claim 30, further comprising:program code for, where the amount of stored data denoted as being datathat should be written to the nonvolatile memory using power supplied bythe temporary power supply in the event of a power supply interruptionis found to exceed the determined permitted amount of such data,instructing a firmware client component of the storage subsystem toreduce the amount of data it has denoted in the volatile memory as beingdata that should be written to the nonvolatile memory using powersupplied by the temporary power supply in the event of a power supplyinterruption.
 32. The computer program product of claim 31, furthercomprising: program code for, where the amount of stored data that isdenoted as being data that should be written to the nonvolatile memoryusing power supplied by the temporary power supply in the event of apower supply interruption is found to exceed the determined permittedamount of such data, preventing the writing of any new data in thevolatile memory that is denoted as being data that should be written tothe nonvolatile memory using power supplied by the temporary powersupply in the event of a power supply interruption, while the amount ofdata in the volatile memory that is denoted as being data that should bewritten to the nonvolatile memory using power supplied by the temporarypower supply in the event of a power supply interruption exceeds thepermitted amount of such data.
 33. The computer program product of claim32, further comprising: program code for controlling the storage in thevolatile memory of data that is denoted as being data that should bewritten to the nonvolatile memory using power supplied by the temporarypower supply in the event of a power supply interruption on the basis ofthe nature of the data being stored and/or the nature of the clientcomponent requesting storage of the data in the volatile memory.
 34. Thecomputer program product of claim 33, further comprising: program codefor allocating memory capacity for data that is denoted as being datathat should be written to the nonvolatile memory using power supplied bythe temporary power supply in the event of a power supply interruptionon the basis of the nature of the data being stored and/or the nature ofthe client component requesting storage of the data in the volatilememory.
 35. The computer program product of claim 34, furthercomprising: giving access to memory capacity for data that is denoted asbeing data that should be written to the nonvolatile memory using powersupplied by the temporary power supply in the event of a power supplyinterruption preferentially to firmware client components of the storagesubsystem that require such data storage to ensure data integrity. 36.The computer program product of claim 35, further comprising:controlling the storage in the volatile memory of data that is denotedas being data that should be written to a nonvolatile memory using powersupplied by the temporary power supply in the event of an interruptionin the power supply to the volatile memory by different firmware clientcomponents of the storage subsystem on the basis of the dependency of atleast one of the client components on another client component orcomponents for processing its input/output requests to the storagesubsystem.
 37. The computer program product of claim 36, furthercomprising: controlling the storage in the volatile memory of data thatis denoted as being data that should be written to a nonvolatile memoryusing power supplied by the temporary power supply in the event of aninterruption in the power supply to the volatile memory by differentfirmware client components of the storage subsystem on the basis of theability of a or more than one of the client components to reduce theamount of data that it or they have stored in the volatile memory thatis denoted as being data that should be written to a nonvolatile memoryusing power supplied by the temporary power supply in the event of aninterruption in the power supply to the volatile memory.
 38. A systemcomprising: a host computer; a hard drive; and a storage adapterlogically oriented between the host computer and the hard drive, thestorage adapter composed of: a controlling processor, a volatile memory,a temporary power supply, and a non-volatile memory, wherein the storageadapter stores in the volatile memory a mirror image of data being sentfrom the host computer to the hard drive, and wherein, in response tothe host computer experiencing a power interrupt, the controllingprocessor controls the writing of the mirror image from the volatilememory to the non-volatile memory using power from the temporary powersupply.
 39. The system of claim 38, wherein the temporary power supplyis a battery.
 40. The system of claim 38, wherein the amount of datastored in the volatile memory in the storage adapter, at any point intime, is set according to the amount of power stored in the temporarypower supply, such that the amount of power stored in the temporarypower supply is sufficient for providing power for the writing of themirror image data from the volatile memory to the non-volatile memory.41. The system of claim 40, wherein the non-volatile memory is a flashmemory.